The UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy.
Overview
Finding ID
Version
Rule ID
IA Controls
Severity
V-264369
SRG-APP-000427-UEM-000502
SV-264369r985781_rule
High
Description
It is critical that the UEM server sign all policy updates with validated certificate or private keys. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy.
This requirement focuses on communications protection for the application session rather than for the network packet.
This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs).
Satisfies: FMT_POL_EXT.1.3
Reference: PP-MDM-411071
Verify the UEM server, for each unique policy managed, validates the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy].
If the UEM server does not validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy, this is a finding.
Fix Text (F-68191r985780_fix)
Configure the IUEM server, for each unique policy managed, to validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy].